From: "Ludovic Courtès" <ludo@gnu.org>
To: Philip McGrath <philip@philipmcgrath.com>
Cc: 66658-done@debbugs.gnu.org
Subject: bug#66658: [PATCH] gnu: nghttp2: Replace with 1.57.0.
Date: Mon, 30 Oct 2023 00:35:40 +0100 [thread overview]
Message-ID: <871qdd6lyr.fsf@gnu.org> (raw)
In-Reply-To: <4cb10aa33d799603e45b839396261b8cfdaccbc6.1697861438.git.philip@philipmcgrath.com> (Philip McGrath's message of "Sat, 21 Oct 2023 00:20:30 -0400")
Hi Philip,
Philip McGrath <philip@philipmcgrath.com> skribis:
> This release mitigates CVE-2023-44487.
>
> * gnu/packages/web.scm (nghttp2-1.57): New variable.
> (nghttp2)[replacement]: Use it.
> ---
>
> I've never attempted to create a graft before, and I have **definitely not**
> tested this adequately, but `guix refresh` says:
>
>> Building the following 7989 packages would ensure 20638 dependent packages
>> are rebuilt:
>
> so it seems like a graft would be needed.
Indeed.
The two seem to be ABI-compatible:
--8<---------------cut here---------------start------------->8---
$ guix shell libabigail -- abidiff /gnu/store/n0xrvryfjg2yciifxb2c0ac5rx9wy0xi-nghttp2-1.49.0-lib/lib/libnghttp2.so.14 /gnu/store/kimb54icxfxyi51v5vnr6x3pcf1km6q7-nghttp2-1.57.0-lib/lib/libnghttp2.so.14
Functions changes summary: 0 Removed, 0 Changed, 0 Added function
Variables changes summary: 0 Removed, 0 Changed, 0 Added variable
Function symbols changes summary: 0 Removed, 2 Added function symbols not referenced by debug info
Variable symbols changes summary: 0 Removed, 0 Added variable symbol not referenced by debug info
2 Added function symbols not referenced by debug info:
[A] nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation
[A] nghttp2_option_set_stream_reset_rate_limit
$ readelf -a /gnu/store/n0xrvryfjg2yciifxb2c0ac5rx9wy0xi-nghttp2-1.49.0-lib/lib/libnghttp2.so.14 |grep SONAME
0x000000000000000e (SONAME) Library soname: [libnghttp2.so.14]
$ readelf -a /gnu/store/kimb54icxfxyi51v5vnr6x3pcf1km6q7-nghttp2-1.57.0-lib/lib/libnghttp2.so.14 |grep SONAME
0x000000000000000e (SONAME) Library soname: [libnghttp2.so.14]
--8<---------------cut here---------------end--------------->8---
(Bit questionable that the SONAME is exactly the same. Oh well.)
> The upstream nghttp2 advisory about the impact of CVE-2023-44487 is at:
> https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg
Applied, thanks!
Ludo’.
prev parent reply other threads:[~2023-10-29 23:36 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-21 4:20 [bug#66658] [PATCH] gnu: nghttp2: Replace with 1.57.0 Philip McGrath
2023-10-29 23:35 ` Ludovic Courtès [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=871qdd6lyr.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=66658-done@debbugs.gnu.org \
--cc=philip@philipmcgrath.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.